Cold-call tech support scams. Didn't they go away when the Federal Trade Commission cracked down on them in the US? Actually, while the FTC crackdown wasn't quite as comprehensive as it might have seemed, there's no doubt that the number of classic "I'm-ringing-from-Microsoft-to-tell-you-that-you-have-viruses-but-I-can-help-you-for-a-small-fee" cold-calls has declined (round here at any rate, but maybe they just figured that ringing someone who wrote as extensively as I do about the scam wasn't much of a sales prospect).
Still, it seems that what is happening here is evolution, not extinction. Last month, my colleague Jean-Ian Boutin reported malware that not only combined fake AV with basic screenlocking ransomware (signed digitally, too, though that certificate has been revoked), but also offers a toll-free number where the victim can get help (for a price). According to Jean-Ian, ringing that number gets you in contact with a technician who delivers the same sort of support scam pitch that I've described in detail elsewhere, for instance in this Virus Bulletin paper (co-written with Martijn Grooten, Steve Burn and Craig Johnston: My PC has 32,539 errors: how telephone support scams really work. The obvious difference is that this time the onus is on the victim to call the 'helpline', rather than the 'push' cold-call model.
However, Malwarebytes' Jerome Segura did get a more traditional scam call, and even got his PC trashed (it was actually a virtual machine, of course, so no damage done) when he wasn't quick enough to supply his credit card details. He also reported a new (to me, anyway) variation on the theme of misrepresentation of a system utility to convince the victim that their machine is infected or corrupted. In this case, the utility was MSCONFIG: apparently stopped processes mean Something Nasty is at work. Perhaps the most interesting feature of this call, though, was that both the initial caller and the technician who was supposed to fix the problem insisted that Segura had to ask them to proceed with the 'fix', again putting the onus on the victim.
Today, Paul Ducklin of Sophos reports an instance of a deceptive pop-up used to drive the victim into calling a helpline. He suggests that the mechanism is along the lines of:
"Don't waste your time calling 10,000 people until you find one who is scared enough that you can intimidate them into paying up!
Pre-select your victims by getting them to call you..."
Well, I'm sure there's an element of that, but I think there's also the same element of trying to cover your butt with a 'he called us, we didn't call him' defence. Though if these scammers think that their 'sin' lies in making unsolicited phone calls, they're missing the point. Fraudulent misrepresentation is a scam, regardless of whether the victim initiated the phone call. Fake AV and ransomware is still malware, and malware is criminal behaviour in most jurisdictions. And a pop-up that lies to you about the health of your PC is still criminal if it leads to a fake scan and a subsequent fraudulent transaction, irrespective of the disarmingly accurate (but virtually unreadable) disclaimer that Ducklin references in his article. Bizarrely, it states that anything on the site should not be taken literally or as non-fiction. Well, they got that right.
David Harley CITP FBCS CISSP
ESET Senior Research Fellow
